CN103081402A - Method and system for securing access to configuration information stored in universal plug and play data models - Google Patents
Method and system for securing access to configuration information stored in universal plug and play data models Download PDFInfo
- Publication number
- CN103081402A CN103081402A CN201180039252XA CN201180039252A CN103081402A CN 103081402 A CN103081402 A CN 103081402A CN 201180039252X A CN201180039252X A CN 201180039252XA CN 201180039252 A CN201180039252 A CN 201180039252A CN 103081402 A CN103081402 A CN 103081402A
- Authority
- CN
- China
- Prior art keywords
- nodes
- control point
- data model
- role
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2803—Home automation networks
- H04L12/2807—Exchanging configuration information on appliance services in a home automation network
- H04L12/2812—Exchanging configuration information on appliance services in a home automation network describing content present in a home automation network, e.g. audio video content
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2803—Home automation networks
- H04L12/2807—Exchanging configuration information on appliance services in a home automation network
- H04L12/2809—Exchanging configuration information on appliance services in a home automation network indicating that an appliance service is present in a home automation network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2803—Home automation networks
- H04L12/2816—Controlling appliance services of a home automation network by calling their functionalities
- H04L12/282—Controlling appliance services of a home automation network by calling their functionalities based on user interaction within the home
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
Abstract
The present invention provides a method and system for securing access to configuration information stored in universal plug and play data models. In one embodiment, a request to operate on node(s) of a data model is received from a control point (CP). The data model includes a plurality of nodes and each of the plurality of nodes represents configuration information. A role associated with the CP is determined. It is determined whether the role of CP is in a recommended role list. If the role is present, then the CP is allowed to operate on the node(s). If the role is not present, then it is determined whether the CP is having an appropriate role to operate on the node(s) based on ACL data associated with the node(s). Accordingly, the CP is allowed to operate on the node(s) or an error message is returned on the display of the CP.
Description
Technical field
The present invention relates to the field of UPnP (UPnP) domestic network system, more specifically, relate to the access (access) to UPnP equipment management data model.
Background technology
UPnP (UPnP) is one group of computer network protocol of being issued by UPnP forum.The target of UPnP is to allow the access seamless link, and simplifies the enforcement (for example, data sharing, communications and entertainment) of network in family and the corporate environment.These targets are based upon by definition and issue that the UPnP device control protocol of the communication standard of open, Internet-based realizes.
The UPnP technology can be catered in the home network widely equipment.UPnP provides discovery, control and event handling (eventing) mechanism.Use the SSDP agreement to enable discovery.The GENA agreement is followed in event handling.Use these technology, UPnP is so that available and unavailable to the miscellaneous equipment in the UPnP home network of the UPnP equipment of free time (on the fly).
The UPnP framework allows household electrical appliances and the wireless device of personal computer (PC), networking to carry out Peer-To-Peer.It is based on distributed, the open framework such as the standard of having set up of TCP/IP, UDP, HTTP and XML.The UPnP framework is supported the zero configuration networking.For example, from the UPnP compatible equipment of any manufacturer can dynamically add network, obtain the IP address, broadcast it title, pass on its performance and understand existence and the performance of other equipment according to request.On the other hand, UPnP equipment can automatically leave the UPnP home network and not stay any undesirable state information.
The basis of UPnP network is the IP addressing.Each UPnP equipment comprises the UPnP client, when UPnP equipment First Contact Connections during to the UPnP network, and this dhcp client search Dynamic Host Configuration Protocol server.If there is not available Dynamic Host Configuration Protocol server, then UPnP equipment is that it distributes the address itself.If in the DHCP process of exchange, UPnP equipment obtains domain name, for example, transmits by dns server or via DNS, and then UPnP equipment uses this title in network operation subsequently; Otherwise UPnP equipment uses its IP address.
UPnP is general security solution with the equipment protection service definition, and its all services that can be defined among the UPnP are used.The equipment protection service definition role's concept.In order to carry out the UPnP action, all control points or control appliance are assigned different roles, i.e. public (public), basis (basic) and management (admin).Different DCP and manufacturer can these roles of spread set.
The concept of UPnP equipment control service definition data model.Data model is the tree-shaped expression of the relevant information of various device and service configuration.Data model consists of various nodes, such as leaf node, single-instance node, many examples node and example node.Data model can comprise the sensitive information that needs protection.In addition, some configuration informations of storing in the data model can with home network environment in some control points or user irrelevant.When request, current equipment protection service provides the complete configuration information of storing in the data model to the control point.As a result, the control point obtains the sensitivity that provides in the complete configuration information and the access of irrelevant information.
Summary of the invention
Technical problem
Therefore, there are the needs that access control is provided in order to check, read the configuration information that (read) and modification (modify) store in UPnP equipment management data model, thereby provide protection to the configuration information of storing in the data model.
Technical scheme
The invention provides safety (securing) and access the method and system of the configuration information of in UPnP (UPnP) data model, storing.In the following detailed description of embodiments of the invention, the accompanying drawing that forms a part of the present invention is carried out reference, and show the specific embodiment that the present invention can put into practice as example in the accompanying drawings.These embodiment are enough described in detail, so that those skilled in the art can put into practice the present invention, and are understandable that, can utilize other embodiment, and can change and do not depart from the scope of the present invention.Therefore, following detailed description is not the meaning of restriction, and scope of the present invention is only by appended claim definition.
Run through whole file, term " UPnP data model " and " data model " can Alternates.
Technique effect
As mentioned above, according to the present invention, might provide access control for checking, read and be modified in the configuration information of storing in the UPnP equipment management data model, thereby provide protection to the configuration information of storing in the data model.
Description of drawings
Fig. 1 illustrates according to a process chart embodiment, that the configuration information that is stored in UPnP (UPnP) data model provided the illustrative methods of safety (secured) access.
Fig. 2 is the schematically showing of exemplary UPnP data model that has in the context of the present invention multinode.
Fig. 3 is the flow chart that illustrates according to the illustrative methods of a configuration information embodiment, the secure access data model.
Fig. 4 illustrates according to a many examples node embodiment, by control point Update Table model and with respect to the flow chart of the illustrative methods of another control point protection (securing) amended many examples node.
Fig. 5 illustrates according to a block diagram embodiment, that be used for the domestic network system of the configuration information that secure access stores at the UPnP data model.
Fig. 6 is the block diagram of various assemblies of control appliance that the domestic network system of those domestic network systems shown in Fig. 5 of the embodiment that be used for to realize this theme is shown.
Diagram as described herein only is used for the example purpose, and is not intended to limit by any way the scope of the present disclosure.
Embodiment
Fig. 1 illustrates according to a handling process Figure 100 embodiment, that the configuration information that is stored in the UPnP data model provided the illustrative methods of secure access.In step 102, the control point from home network environment receives the request of (a plurality of) node of operating data model.Data model comprises a plurality of nodes, such as leaf node, single-instance node, many examples node and example node.The configuration information that each storage in a plurality of nodes is associated with the control point in the home network environment.Configuration information can be service configuration information and device configuration information.With reference to Fig. 2, data model 200 is illustrated, and comprises node/A/B, node/A/E, node/A/F, node/A/B/C, node/A/B/D and node/A/B/G so that store configuration information.Any node of control point in can the request operational data model.
In step 104, based on the definite role who is associated with the control point of request.In the control point in the home network environment each is assigned with the role so that the configuration information that operation is associated.For example, the control point that is associated with request can be assigned with public role, basic role or role of manager.Can be pointed out that, can be assigned to the control point such as the role of any other type of manufacturer's assigned role.
In step 106, the role who determines to distribute to the control point whether be in request in the recommendation role tabulation that is associated of the operation (for example, access, read or revise) of appointment.Recommend role's tabulation comprise with home network environment in recommendedly carry out access, read role's tabulation that the control point with retouching operation is associated for the node to the data model.Recommend in role's tabulation if described role is in, then in step 108, the control point is allowed to (a plurality of) node of operating data model.
For example, if at step 102 control point the node/A/B/C of request access data model 200, then based on recommending role's tabulation, control appliance allows control point access node/A/B/C.If request is associated with read operation, then control appliance allows the control point to read in the configuration information of storing among the node/A/B/C of data model 200.Replacedly, if control point request retouching operation, then control appliance allows the control point for example to revise node/A/B/C(, adds another node or deletion of node).In certain embodiments, (a plurality of) associated nodes that on the display at control point, only shows data model.In these embodiments, at all the other nodes that do not show data model on the display at control point (node except the node of request).
Recommend in role's tabulation if described role is in, then in step 110, determine whether the control point has the suitable role that (a plurality of) node at data model operates.In one embodiment, use the access control list (ACL) data that are associated with (a plurality of) node of asking in the data model to make definite.What can note is that the ACL data are nodal communitys.The ACL data that are associated with node comprise with access elements, read element and/or revise the node identifier that element is associated.Access elements, read element and revise the element indication be authorized to carry out access at the node that is associated with the respective nodes identifier, read with retouching operation in the character types of each operation.Exemplary ACL data and the corresponding node identifier of each node have been shown in the table 1 below.
Table 1
With reference to Fig. 2 and table 1, the control point with public role is allowed to access and has the node of node identifier/A/B/C, and the control point with basic role is allowed to read the node with node identifier/A/B/C.Yet, do not have the role to be authorized to revise the node with node identifier/A/B/C.Control point with basic role is allowed to access and has the node of node identifier/A/B, and the control point with admin role is allowed to access and/or revises the node with node identifier/A/B.Similarly, control point with public role is allowed to the node that access has node identifier/A/B/D, control point with basic role is allowed to read the node with node identifier/A/B/D, and the control point with admin role is allowed to revise the node with node identifier/A/B/D.In appendix A, B and C, provide respectively for node identifier/A/B/C ,/A/B ,/the exemplary XML framework of the ACL data of A/B/D.
Return with reference to Fig. 1, following execution determines based on the ACL data of (a plurality of) node whether the control point should be allowed to operation (a plurality of) node.At first, determine with ask in the node identifier that is associated of indicated node.Then, retrieve the ACL data that are associated with the node of solicit operation.In addition, determine the role be associated with the control point whether with the role match that is authorized to node in the ACL data and carries out the operation of asking.If the coupling of discovery, any other node that the request of then determining whether operates on it.If do not remain any node, then repeat above-mentioned steps, until all nodes are all processed.If do not remain node to be processed and all find coupling for the node of all requests, then execution in step 108.If in the node of one or more requests, do not find coupling, then return error message at the display of step 112 at the control point.
For example, consider that the control point request carries out read operation and the role that is associated with the control point is public role at node/A/B/D.As shown in table 1, the indication of ACL data " ACCESS=PUBLIC, the READ=BASIC that are associated with node/A/B/D; MODIFY=ADMIN ".Therefore, return refusal carries out read operation at node/A/B/D error message.Yet if the control point request is carried out accessing operation at node/A/B/D, the control point is allowed to carry out read operation at node/A/B/D because in table 1 the public role of access elements instructs node/A/B/D.
Fig. 3 is the flow chart 300 that illustrates according to the illustrative methods of a configuration information embodiment, the secure access data model.In step 302, the ACL data that equipment protection (DP) entity will be associated with equipment protection (DP) service offer configuration admin service (CMS) entity.In step 304, the CMS entity loads CMS ACL data by outband channel.In step 306, CMS entity and CP1 verify mutually.In step 308, CP1 sends the request of visit data model to the CMS entity.
In step 310, the CMS entity utilizes the DP entity to check whether CP1 has the authority of visit data model.The DP entity determines whether the role of CP1 is present in the recommendation role tabulation.The DP entity finds that CP1 does not have the authority of visit data model.In step 312, the DP entity confirms that CP1 does not have the authority of visit data model.In step 314, the CMS entity is determined whether CP1 has for the suitable role of (a plurality of) node of asking of visit data model and is found that CP1 has the access permission of access (a plurality of) node.Therefore, in step 316, the CMS entity returns the data model that only has (a plurality of) node of asking to CP1, and hides all the other nodes to CP1.
Fig. 4 illustrates according to a many examples node embodiment, by control point Update Table model and protects the flow chart 400 of the illustrative methods of amended many examples node with respect to another control point.In step 402, the ACL data that equipment protection (DP) entity will be associated with equipment protection (DP) service offer configuration admin service (CMS) entity.In step 404, the CMS entity loads CMS ACL data by outband channel.In step 406, CMS entity and CP1 verify mutually.In step 408, CP1 sends the request of many examples node of Update Table model to the CMS entity.
In step 410, CMS utilizes the DP entity to check whether CP1 has the access rights of many examples node of Update Table model.The DP entity determines whether the role of CP1 is present in the recommendation role tabulation.The DP entity finds that CP1 does not have the access rights of many examples node of Update Table model.In step 412, the DP entity confirms that CP1 does not have the access rights of many examples node of Update Table model.In step 414, the CMS entity is determined whether CP1 has for the suitable role of many examples node of Update Table model and is found that CP1 has the suitable role who revises many examples node based on CMS ACL data.Therefore, in step 416, the CMS entity notifies many examples node successfully to revise to CP1.
In step 418, CP1 request CMS entity is checked amended many examples node of data model.In step 420, the CMS entity shows amended many examples node of data model to CP1.Now, in step 422, another control point (CP2) attempts amended many examples node of visit data model, and sends request to the CMS entity.In step 424, the CMS entity returns error message to CP2, because CP2 does not have the coupling role who reads the configuration information in amended many examples node.For example, many examples node that the CMS substantial definition is called as "/UPnP/DM/DeviceInfo/PhysicalDevice/NetworkInterface/#/", and CP1 is allowed to many examples node is called the modification order in order to create network interface 1(NetworkInterface1).Yet based on the ACL data of many examples node, CP2 is not allowed to read the configuration information relevant with the network interface of new establishment.
Fig. 5 be illustrate according to an embodiment, be used for secure access at the block diagram of the domestic network system 500 of the configuration information of UPnP data model 200 storages.In Fig. 5, domestic network system 500 comprises control appliance 502 and control point 506.According to the present invention, control appliance 502 comprises configuration admin service (CMS) module 504, and it has data model 200.
In exemplary operation, control point 506 is invoked at the request that operates on (a plurality of) node of the data model 200 that is associated with configuration admin service.CMS module 504 is based on the definite role who is associated with control point 506 of request.CMS module 504 determines whether the role who is associated with control point 506 is in the recommendation role tabulation.Recommend in role's tabulation if the role is in, then CMS module 504 allows control points 506 to access/read/(a plurality of) node of Update Table model 200.Recommend in role's tabulation if the role is present in, then CMS module 504 determines based on the ACL data of (a plurality of) node whether control point 506 has the suitable role that (a plurality of) node at data model 200 operates.Determine CMS module 504 or allow control point 506 to access/read/(a plurality of) node of Update Table model 200 or 506 return error message to the control point based on this.Will be appreciated that according to the one or more embodiment shown in Fig. 1 to Fig. 4 the configuration information that 504 secure access of CMS module are stored in the UPnP data model.
Fig. 6 is the block diagram of various assemblies of control appliance 502 that the domestic network system 500 of those domestic network systems shown in Fig. 5 of the embodiment that be used for to realize this theme is shown.In Fig. 6, control appliance 502 comprises processor 602, memory 604, read-only memory (ROM) 606, transceiver 608, bus 610, communication interface 612, display 614, input equipment 616 and cursor control 618.
Processor 602 as used herein refers to the counting circuit of any type, such as, but not limited to, microprocessor, microcontroller, sophisticated vocabulary calculate the treatment circuit of microprocessor, reduced instruction set computer calculating microprocessor, very long instruction word microprocessor, explicit parallel instruction calculating microprocessor, graphic process unit, digital signal processor or any other type.Processor 602 can also comprise embedded controller, such as general or programmable logic device or array, application-specific integrated circuit (ASIC), single-chip computer, smart card etc.
Memory 604 and ROM606 can be volatile memory and nonvolatile memory.According to the one or more embodiment that describe among Fig. 1 to Fig. 5, memory 604 comprises the CMS module 504 of the configuration information of storing at the UPnP data model for secure access.Various computer-readable recording mediums can be stored in the memory component and from memory component and access.Memory component can comprise any suitable memory devices for storage data and machine readable instructions, such as read-only memory, random access memory, Erasable Programmable Read Only Memory EPROM, Electrically Erasable Read Only Memory, hard disk drive, for the treatment of CD (compact disk), digital video disc, floppy disk, cassette tape, storage card, memory stick
TM(Memory Sticks
TM) removable media drive etc.
The embodiment of this theme can binding modules realizes, described module comprises be used to executing the task or defining function, program, data structure, the application program of abstract data type or rudimentary hardware context.Can be carried out by processor 602 in the machine readable instructions that any above-mentioned storage medium is stored.For example, according to instruction and the embodiment as described herein of this theme, computer program can comprise the machine readable instructions of the configuration information of can secure access storing in the UPnP data model.In one embodiment, program can be included on the compact disc-ROM (CD-ROM), and is loaded into hard disk drive the nonvolatile memory from CD-ROM.Machine readable instructions can make control appliance 502 encode according to the various embodiment of this theme.
Transceiver 608 can be received in the request that operates on data model (a plurality of) node, and operates at (a plurality of) node of data model based on the role at control point 506 and the ACS data grant control point 506 of (a plurality of) node.Bus 610 is as interconnecting between the various assemblies of control appliance 502.Assembly such as communication interface 612, display 614, input equipment 616 and cursor control 618 is known to those skilled in the art, and therefore the description thereof will be omitted.
With reference to certain exemplary embodiments present embodiment has been described; It is evident that, can make various modifications and change and the wider spirit and scope that do not break away from various embodiment to these embodiment.In addition, various device as described herein, module, selector, estimator etc. can start and operate with hardware circuit, and described hardware circuit is for example based on logical circuit, firmware, software and/or hardware, the firmware of complementary metal oxide semiconductors (CMOS) and/or be embodied in any combination of the software in the machine readable media.For example, various electrical structures and method can be come implementation with transistor, gate with such as the electric circuit of application-specific integrated circuit (ASIC).
Appendix ' A'
<ACLData>
<NodeIdentifier>/A/B/C</NodeIdentifier>
<Access>Public</Access>
<Read>Basic</Read>
<Modify>None</Modify>
<ACLData>
Appendix ' B'
<ACLData>
<NodeIdentifier>/A/B</NodeIdentifier>
<Access>Public</Access>
<Read>Admin</Read>
<Modify>Admin</Modify>
<ACLData>
Appendix ' C'
<ACLData>
<NodeIdentifier>/A/B/D</NodeIdentifier>
<Access>Public</Access>
<Read>Basic</Read>
<Modify>Admin</Modify>
<ACLData>
Claims (31)
1. a computer-implemented method is used for the configuration information that secure access is stored in the data model of the home network environment with one or more control points and one or more control appliances, and the method comprises:
Receive the request of one or more nodes of operating data model from the control point, wherein data model comprises a plurality of nodes, each the expression configuration information in described a plurality of nodes;
Based on the request that receives, determine the role who is associated with the control point;
Determine whether the role who is associated with the control point is in the recommendation role tabulation that is associated with the request that receives;
If so, then allow one or more nodes of control point operating data model;
If not, then based on determining with each the access control list (ACL) data that are associated in one or more nodes whether the control point has the suitable role of one or more nodes of operating data model;
If so, then allow one or more nodes of control point operating data model;
If not, then the display at the control point returns error message.
2. the method for claim 1, wherein the request of operating data model is included in the request of carrying out one of accessing operation, retouching operation and read operation on the data model.
3. the method for claim 1, wherein described one or more node comprises leaf node, single-instance node, many examples node and example node.
4. the role who the method for claim 1, wherein is associated with the control point is one of role of basic role, public role, role of manager and manufacturer's definition.
5. the method for claim 1, wherein comprise with access elements, read element and revise the node identifier that element is associated with each ACL data that are associated in one or more nodes.
6. method as claimed in claim 2 wherein, allows one or more nodes of control point operating data model to comprise:
So that the configuration information of storing can be accessed in the control point in one or more nodes of data model.
7. method as claimed in claim 2 wherein, allows one or more nodes of control point operating data model to comprise:
So that at least one node that is associated with one or more nodes of data model can be read in the control point.
8. method as claimed in claim 2 wherein, allows one or more nodes of control point operating data model to comprise:
So that at least one node that is associated with one or more nodes of data model can be revised in the control point.
9. the method for claim 1, wherein based on determining that with each the ACL data that are associated in one or more nodes the suitable the role whether control point has one or more nodes of operating data model comprises:
Determine the node identifier that is associated with the node of data model in the request that receives;
The ACL data that retrieval is associated with the node of data model based on node identifier;
Determine the role be associated with the control point whether with the role match that is authorized to node in the ACL data and carries out the operation of asking;
If so, then determine in the request that receives, whether to remain any other node;
If so, then repeat above-mentioned steps until all nodes are all processed;
If not, then allow one or more nodes of control point operating data model.
10. method as claimed in claim 9, wherein, whether determine the role that is associated with the control point and the ACL data that are associated with node in the random angle colour matching comprise:
If not, then the display at the control point returns error message.
11. a device comprises:
Processor; And
Memory, it is couple to processor, and wherein, described processor comprises for configuration admin service (CMS) module of carrying out following operation:
Receive the request of one or more nodes of operating data model from the control point, wherein data model comprises a plurality of nodes, each the expression configuration information in described a plurality of nodes;
Based on the request that receives, determine the role who is associated with the control point;
Determine whether the role who is associated with the control point is in the recommendation role tabulation that is associated with the request that receives;
If so, then allow one or more nodes of control point operating data model;
If not, then based on determining with each the access control list (ACL) data that are associated in one or more nodes whether the control point has the suitable role of one or more nodes of operating data model;
If so, then allow one or more nodes of control point operating data model;
If not, then the display at the control point returns error message.
12. device as claimed in claim 11, wherein, the request of operating data model is included in the request of carrying out one of accessing operation, retouching operation and read operation on the data model.
13. device as claimed in claim 11, wherein, described one or more nodes comprise leaf node, single-instance node, many examples node and example node.
14. device as claimed in claim 11, wherein, the role who is associated with the control point is one of role of basic role, public role, role of manager and manufacturer's definition.
15. device as claimed in claim 11 wherein, comprises with access elements, reads element and revise the node identifier that element is associated with each ACL data that are associated in one or more nodes.
16. device as claimed in claim 12, wherein, during the one or more nodes that allow control point operating data model, described CMS module is so that the configuration information of storing can be accessed in the control point in one or more nodes of data model.
17. device as claimed in claim 12, wherein, during the one or more nodes that allow control point operating data model, described CMS module is so that at least one node that is associated with one or more nodes of data model can be read in the control point.
18. device as claimed in claim 12, wherein, during the one or more nodes that allow control point operating data model, described CMS module is so that at least one node that is associated with one or more nodes of data model can be revised in the control point.
19. a non-provisional computer-readable recording medium that stores therein instruction, this instruction makes this control appliance manner of execution when being moved by the control appliance in the home network environment, and the method comprises:
Receive the request of one or more nodes of operating data model from the control point, wherein data model comprises a plurality of nodes, each the expression configuration information in described a plurality of nodes;
Based on the request that receives, determine the role who is associated with the control point;
Determine whether the role who is associated with the control point is in the recommendation role tabulation that is associated with the request that receives;
If so, then allow one or more nodes of control point operating data model;
If not, then based on determining with each the access control list (ACL) data that are associated in one or more nodes whether the control point has the suitable role of one or more nodes of operating data model;
If so, then allow one or more nodes of control point operating data model;
If not, then the display at the control point returns error message.
20. storage medium as claimed in claim 19, wherein, the request of operating data model is included in the request of carrying out one of accessing operation, retouching operation and read operation on the data model.
21. storage medium as claimed in claim 19, wherein, described one or more nodes comprise leaf node, single-instance node, many examples node and example node.
22. storage medium as claimed in claim 19, wherein, the role who is associated with the control point is one of role of basic role, public role, role of manager and manufacturer's definition.
23. storage medium as claimed in claim 19 wherein, comprises with access elements, reads element and revise the node identifier that element is associated with each ACL data that are associated in one or more nodes.
24. storage medium as claimed in claim 20 wherein, allows the instruction of one or more nodes of control point operating data model to comprise:
So that the configuration information of storing can be accessed in the control point in one or more nodes of data model.
25. storage medium as claimed in claim 20 wherein, allows the instruction of one or more nodes of control point operating data model to comprise:
So that at least one node that is associated with one or more nodes of data model can be read in the control point.
26. storage medium as claimed in claim 20 wherein, allows the instruction of one or more nodes of control point operating data model to comprise:
So that at least one node that is associated with one or more nodes of data model can be revised in the control point.
27. a domestic network system comprises:
At least one control point is used for the request of one or more nodes of call operation data model, and wherein data model comprises a plurality of nodes, each the expression configuration information in described a plurality of nodes; And
At least one control appliance, itself and at least one control point couple communicatedly, and described at least one control appliance is used for:
Based on the request that receives, determine the role who is associated with at least one control point;
Determine whether the role who is associated with at least one control point is in the recommendation role tabulation that is associated with the request that receives;
If so, then allow one or more nodes of at least one control point operating data model;
If not, then based on determining with each the access control list (ACL) data that are associated in one or more nodes whether at least one control point has the suitable role of one or more nodes of operating data model;
If so, then allow one or more nodes of at least one control point operating data model;
If not, then the display at least one control point returns error message.
28. system as claimed in claim 27, wherein the request of operating data model is included in the request of carrying out one of accessing operation, retouching operation and read operation on the data model.
29. system as claimed in claim 27, wherein, described one or more nodes comprise leaf node, single-instance node, many examples node and example node.
30. system as claimed in claim 27, wherein, the role who is associated with at least one control point is one of role of basic role, public role, role of manager and manufacturer's definition.
31. system as claimed in claim 27 wherein, comprises with access elements, reads element and revise the node identifier that element is associated with each ACL data that are associated in one or more nodes.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IN1966CH2010 | 2010-07-10 | ||
| IN1966/CHE/2010 | 2010-07-10 | ||
| PCT/KR2011/005070 WO2012008721A2 (en) | 2010-07-10 | 2011-07-11 | Method and system for securing access to configuration information stored in universal plug and play data models |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103081402A true CN103081402A (en) | 2013-05-01 |
| CN103081402B CN103081402B (en) | 2015-09-09 |
Family
ID=45469903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201180039252.XA Active CN103081402B (en) | 2010-07-10 | 2011-07-11 | The method and system of the configuration information that secure access stores in UPnP data model |
Country Status (5)
| Country | Link |
|---|---|
| US (1) | US9355260B2 (en) |
| EP (1) | EP2591574B1 (en) |
| KR (1) | KR101860964B1 (en) |
| CN (1) | CN103081402B (en) |
| WO (1) | WO2012008721A2 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9106671B2 (en) * | 2011-08-23 | 2015-08-11 | Telefonaktiebolaget L M Ericsson (Publ) | Capability discovery optimization |
| CN105577399A (en) * | 2014-10-09 | 2016-05-11 | 中兴通讯股份有限公司 | Network device access control list management method and network device access control list management device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070208948A1 (en) * | 2006-02-24 | 2007-09-06 | Nokia Corporation | System and method for configuring security in a plug-and-play architecture |
| US20070254630A1 (en) * | 2006-04-24 | 2007-11-01 | Nokia Corporation | Methods, devices and modules for secure remote access to home networks |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020133716A1 (en) * | 2000-09-05 | 2002-09-19 | Shlomi Harif | Rule-based operation and service provider authentication for a keyed system |
| JP4224226B2 (en) * | 2001-06-26 | 2009-02-12 | 富士通株式会社 | Display control method, display control system, display control program, and computer-readable medium |
| US7647385B2 (en) | 2003-12-19 | 2010-01-12 | Microsoft Corporation | Techniques for limiting network access |
| US20050160144A1 (en) * | 2003-12-24 | 2005-07-21 | Rishi Bhatia | System and method for filtering network messages |
| US20070214497A1 (en) * | 2006-03-10 | 2007-09-13 | Axalto Inc. | System and method for providing a hierarchical role-based access control |
| US8341694B2 (en) * | 2006-07-08 | 2012-12-25 | International Business Machines Corporation | Method and system for synchronized access control in a web services environment |
| US8732854B2 (en) * | 2006-11-01 | 2014-05-20 | Time Warner Cable Enterprises Llc | Methods and apparatus for premises content distribution |
| JP4984907B2 (en) * | 2007-01-19 | 2012-07-25 | ソニー株式会社 | Network system, direct access management server, event notification method, network home appliance, and computer program |
| CN103458477B (en) * | 2007-09-27 | 2016-06-29 | 松下电器(美国)知识产权公司 | Mobile terminal, the method performed in the terminal and information server |
| KR101614945B1 (en) | 2008-08-20 | 2016-04-25 | 삼성전자주식회사 | Method and apparatus for protecting of pravacy in home network |
| KR101662838B1 (en) | 2008-10-10 | 2016-10-10 | 삼성전자주식회사 | System and method for establishing security of contrilled device by control point device in home network |
| US8838644B2 (en) * | 2009-11-25 | 2014-09-16 | International Business Machines Corporation | Extensible access control list framework |
-
2011
- 2011-07-11 KR KR1020127032899A patent/KR101860964B1/en active IP Right Grant
- 2011-07-11 EP EP11807006.9A patent/EP2591574B1/en active Active
- 2011-07-11 WO PCT/KR2011/005070 patent/WO2012008721A2/en active Application Filing
- 2011-07-11 US US13/809,545 patent/US9355260B2/en active Active
- 2011-07-11 CN CN201180039252.XA patent/CN103081402B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070208948A1 (en) * | 2006-02-24 | 2007-09-06 | Nokia Corporation | System and method for configuring security in a plug-and-play architecture |
| US20070254630A1 (en) * | 2006-04-24 | 2007-11-01 | Nokia Corporation | Methods, devices and modules for secure remote access to home networks |
Non-Patent Citations (1)
| Title |
|---|
| GUNTER KARJOTH: ""Implementing ACL-based Policies in XACML"", 《2008 ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENC》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012008721A2 (en) | 2012-01-19 |
| CN103081402B (en) | 2015-09-09 |
| KR101860964B1 (en) | 2018-05-24 |
| US20130117866A1 (en) | 2013-05-09 |
| WO2012008721A3 (en) | 2012-04-05 |
| EP2591574B1 (en) | 2018-09-05 |
| EP2591574A2 (en) | 2013-05-15 |
| KR20130100242A (en) | 2013-09-10 |
| EP2591574A4 (en) | 2014-07-16 |
| US9355260B2 (en) | 2016-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2769314B1 (en) | Network connected media gateway for communication networks | |
| CN100586073C (en) | Simple and dynamic configuration of network devices | |
| US8588990B2 (en) | Communicating through a server between appliances and applications | |
| KR101186392B1 (en) | A distributed mesh network | |
| US20020082818A1 (en) | Data model for automated server configuration | |
| US20090055536A1 (en) | System and method for plug and play between host and client | |
| US9094409B2 (en) | Method for configuring access rights, control point, device and communication system | |
| KR20150093663A (en) | Method and apparatus for authenticating access authorization in wireless communication system | |
| US11218441B2 (en) | Use of a network address by a network accessory | |
| US20060129700A1 (en) | Bridging a local bus with a data network | |
| CN103081402B (en) | The method and system of the configuration information that secure access stores in UPnP data model | |
| KR100958898B1 (en) | Enhancements for discovering device owners in a UPnP searching service | |
| US20160099928A1 (en) | Systems and methods for managing connections for universal plug-and-play devices | |
| CN103098434A (en) | System and method for managing a control device in a universal plug and play home network | |
| US9270530B1 (en) | Managing imaging of multiple computing devices | |
| US10142676B2 (en) | Residential gateway making at least one private memory space available | |
| KR101860967B1 (en) | Method and system for providing security for universal plug and play operations in a home network environment based on ownership rights | |
| CN114116387A (en) | Cross-ecological video monitoring management method and device, storage medium and electronic equipment | |
| CN117917103A (en) | Subscription control method, device, computer equipment and storage medium | |
| CN117354063A (en) | IPv 6-based intelligent internet terminal management method, system, medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |